Tweet
Note: vBulletin Cloud sites cannot use custom password schemes at this time.
The core security of your site is the User Password and how it is stored. In the beginning, vBulletin used a simple MD5 hash to represent the password. However as Floating Point Processors (i.e. GPU and ASICs) have become more powerful, this method proved to be risky and reduced security. If we significantly changed the password scheme, then users wouldn't be able to login and would need to change their passwords first. We needed a solution that was more convenient. At this point, a 3 character randomly generated salt was added to the password and it was hashed a second time. Again, technology caught up to this technique. So the salt was increased to 30 characters. Once again, technology caught up with the technique. We needed a better way to hash passwords but allow users to log in seamlessly.
When PHP 5.5 was released, a new set of password hashing functions were released to help with these issues. So they were implemented into vBulletin. A new password system was developed in vBulletin 5 that uses Password Schemes. You can have multiple schemes active at a time and the system will determine which one is needed to verify the login password. Currently vBulletin 5.4.X ships with two password schemes. Both have their pros and cons. The new password functionality provides two things for vBulletin. The first is that is can generate a new salt every time a user password is created. These salts use cryptographic random numbers so they are more complex than the method used previously. The second is that comparing passwords can now take additional time. One of the common techniques to break hashed passwords is the amount of time it takes to create a comparable hash. Using the argon2id and blowfish algorithm, we can slow the password hashing down so it takes roughly half a second to complete. This helps to negate additional power added with hardware.
Password Schemes
vBulletin handles password hashing using PHP's password_hash() and password_verify() functions. This allows the system to utilize different password schemes across your userbase.Argon 2ID
Currently, this is the default password scheme used by vBulletin. It has the highest priority at the moment and is considered to be cryptographically secure.
Blowfish
This password scheme is used as a secure fallback if your server does not support Argon 2ID. There are two schemes defined with this hashing method. The higher priority scheme takes more time to create a hash.
Legacy
This system allows your users to continue to log in with the password hashes generated in vBulletin 3 and vBulletin 4. This is its only purpose today. We do not recommend that you use it for new users.
Password Compatibility
vBulletin Passwords are stored in a manner that tells the software which scheme was used without actually knowing the password. This allows the system to verify any password as long as there is a valid scheme for it. Once the password is verified, it will be saved with the scheme that has the highest priority in your Password Schemes file.
Adding New Schemes
The password system in vBulletin 5 Connect is extendible so you can add your own password schemes. This is controled by the /core/includes/xml/pwsschemes_vbulletin.xml file and corresponding code found in /core/vb/utility/password/algorithm. Each new scheme added to the system needs an entry in a password schemes XML file and a corresponding class within the algorithm folder.
Default pwschemes_vbulletin.xml
<?xml version="1.0" encoding="ISO-8859-1"?>
<schemes>
<scheme name='blowfish:10' priority='10' />
<scheme name='legacy' priority='1' />
</schemes>
New Scheme Example
You can add a new Blowfish/bcrypt scheme with a higher cost so that passwords take longer to hash and verify. This will make the passwords a bit more secure with newer hardware. Since we already have the code needed for the Blowfish scheme to work, we do not need to add any additional code to the system.
This is a two step process.
Edit the Password Scheme File
To add our new simple scheme we need to create our own custom Password Scheme file. Let's add a new level of Blowfish hashing with a higher cost. In the /core/inclues/xml directory add a new file called pwsschemes_custom.xml. Add the following code to this file:
<?xml version="1.0" encoding="ISO-8859-1"?>
<schemes>
<scheme name='blowfish:15' priority='20' />
</schemes>
Our new scheme uses the existing password hashing functions but we have increased the cost and the priority. To add this new scheme, we simply have to upload our file to /core/includes/xml. The custom name will ensure it doesn't get overwritten when vBulletin is upgraded to the next version. If we were adding a new type of Password hashing, we would have to provide the corresponding PHP classes to handle this. You can see how this is done by reviewing the classes in the /core/vb/utility/password directory.
Rebuild Password Schemes
Once the new file is uploaded to the server, you will need to rebuild the password schemes stored in the database. To do this, we will upload the /core/install directory to the server along tools.php. You can find tools.php in the do_not_upload directory in your download package. Place this file in /core/installs for the current task.
Once these files are uploaded, point your browser to /core/install/tools.php. If you're asked for your Customer ID, enter it. Once the file has loaded in your browser choose the Rebuild Password Schemes option from the menu. When you're done, delete the /core/install directory from your site.
Now you should be able to login normally and your password will be stored in the new scheme.
Note: When changing vBulletin files, make sure not to overwrite or delete this file. Doing so will prevent logins to the site.
